The note didn't indicate why the company hadn't disclosed the higher number before, but The New York Times reports that the revelation comes after Connecticut's attorney general and several other state regulators have opened investigations into the breach and begun demanding more information about it.

Citi said the information the hackers viewed included customer names, account numbers and contact information, but that Social Security numbers, birthdates, card expiration dates and security codes (known as CVV) were not accessed by the hackers. The company also said its main card-processing system was not breached in the attack.

The company began to notify customers affected by the breach, and re-issue about 217,000 new cards on June 3, but then waited until June 9 to disclose it to the public. In its note this week, the company listed the number of affected accounts by state. California had the highest number of affected customers at more than 80,000, followed by Texas with 44,000, Illinois, New York and Florida.

Citi said it has implemented "enhanced procedures" to prevent a recurrence of the breach, but didn't elaborate.

The attack involves typing various strings of data into the address bar of the browser to gain access. The attackers used an automated tool to type in repeated account numbers into the address bar, tens of thousands of times, to access the account data.